Applicable To: 

Duke University

Legend: ✓ = yes; – = no


What to do

Public Risk/Data

Restricted Risk/Data

Sensitive Risk/Data


Systems that store, process, or access Sensitive data should be patched within two weeks of a security update addressing a Critical or High vulnerability becoming available. Systems that store, process, or access Restricted or Public data should be patched within four weeks of a security update addressing a Critical or High vulnerability becoming available.

Vulnerability Management

ITSO conducts monthly scans, which may uncover vulnerabilities on hosts or applications. Departments should use Security Center to identify and remediate vulnerabilities. Remediate Critical and High vulnerabilities within 14 days. Do not explicitly block our vulnerability scanning.


Permit the minimum necessary services through any departmental network firewalls and/or host-based protections.

Credentials and Access Control

Review existing accounts and privileges annually. Enforce password complexity. Web application logins with credentials via SAML required.

Two-Step Authentication

Require multi-factor authentication for all administrator logins (PRS) and interactive users of RS applications.

Centralized Logging

Forward logs to a remote log server. University IT Splunk service recommended.

Secure Software Development

Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.

Monitor for Application Security Updates

Join and monitor security and development lists to receive notification of updates.


Regular backup and encryption is recommended. Note that not all Sensitive or Restricted application data is permitted to be backed up.

Administrative Account Access

Use separate administrative and personal accounts. Manage group passwords with a password manager.

Security Review

Request a Vendor Risk Assessment prior to signing a contract or renewing an unreviewed contract with a vendor.

Regulated Data Security Controls

Implement PCI DSSHIPAA, or export controls as applicable.

Last Reviewed: 08/17

Document Type: Standard